Hermes Agent
π Dedicated Hermes hosting portal: Hermes Agent on Flux now has its own purpose-built site at hermes.runonflux.com β one-click Hermes AI agent hosting with bring-your-own AI key and privacy-first defaults. It gives you a streamlined checkout (pay by card or subscription via Stripe, or with FLUX crypto) and a dedicated management dashboard β live CPU/RAM/disk stats, an in-browser terminal and file manager, billing and renewal controls, and a global server-location map. The Marketplace walkthrough below still applies β the configuration options are the same, and your instance runs as a standard Flux app you can also manage from cloud.runonflux.com.
This guide walks you through the process of deploying, configuring, and managing Hermes Agent using FluxCloud. Hermes Agent is the self-improving AI agent by Nous Research β it ships a browser dashboard for driving the agent and an OpenAI-compatible API server, with optional private networking via Tailscale.
Hermes Agent is offered in two sizes, both built from the same image:
| Listing | vCPU | RAM | Disk | Best for |
|---|---|---|---|---|
| Hermes Agent | 2 | 4 GB | 20 GB | Getting started and lighter workloads. |
| Hermes Agent Pro | 4 | 8 GB | 80 GB | Heavier or professional usage. |
You can change the specs of your app at any time after deployment, so either listing is a fine starting point.
How the Security Model Worksβ
The Hermes dashboard has no authentication of its own β exposing it directly would let anyone who finds the URL read your AI-provider API keys and drive the agent. The FluxCloud image fixes this with two independent locks:
https://<dashboard-domain> βββΆ Caddy basic-auth gate βββΆ Hermes dashboard
(DASHBOARD_USERNAME + DASHBOARD_PASSWORD)
https://<api-domain> βββΆ OpenAI-compatible API server
(Authorization: Bearer API_SERVER_KEY)
- Dashboard (primary URL) β a Caddy reverse proxy puts an HTTP basic-auth password gate in front of the dashboard. The raw dashboard port is never published.
- API server (second URL) β Hermes' OpenAI-compatible API server is published directly and protected by its own bearer-token key.
Because of this, deployment requires you to set the dashboard username and password plus a separate API server key.
How To Install Hermes Agentβ
There are two ways to deploy Hermes Agent on Flux. Both produce the same app with the same configuration options β pick whichever suits you.
Option A (Recommended): Deploy from hermes.runonflux.comβ
The dedicated portal at hermes.runonflux.com walks you through deployment in a purpose-built wizard and gives you a built-in management dashboard afterwards. Hosting starts at $4.02/month, with your first month free.
- Sign in
- Visit hermes.runonflux.com and log in β Google or ZelCore login is supported.
- Click Deploy to open the deployment wizard.
- Choose Plan
- Pick Hermes Agent (2 vCPU / 4 GB RAM / 20 GB disk) or Hermes Agent Pro (4 vCPU / 8 GB RAM / 80 GB disk).
- Configure
- Name your instance and select the subscription duration β 1, 3, 6, or 12 months, with discounts for longer terms (3% / 6% / 12%).
- Environment
- Set the required secrets β the same rules apply as on the Marketplace:
DASHBOARD_USERNAMEand a strongDASHBOARD_PASSWORDβ together these protect the Hermes dashboard login. Anyone with these credentials and your app domain can drive the agent and read your AI-provider keys.API_SERVER_KEYβ the bearer token for the OpenAI-compatible API server. You will use this exact value as the API key in external clients. Treat it like a password.
- Secret fields have a built-in Generate button to create strong values for you, plus show/hide and copy controls.
- Optionally provide a
TAILSCALE_AUTHKEYso the agent can reach private services on your Tailscale network β see the Tailscale section below. You can skip this and add it later.
- Location
- Leave the location list empty for global deployment (recommended for best availability), or restrict deployment to specific continents or countries.
- Review & Pay
- Review your order and choose a payment method:
- Card via Stripe β with an optional auto-renewal toggle so your subscription renews automatically.
- Crypto (FLUX) β a one-time payment (no auto-renewal); the same FLUX Mainnet warning below applies.
- The wizard shows a Finalizing screen while your instance deploys, then your new server appears in the portal's dashboard.
- Manage
- Your instance gets a built-in management panel right on the portal, with Overview (live stats), Console (in-browser terminal), Files, Backup, and Billing tabs β see Managing Your App below.
Your app also runs as a standard Flux application, so everything in this guide β the security model, dashboard access, AI provider setup, and the API server β applies identically.
Option B: FluxCloud Marketplaceβ
You can also deploy Hermes Agent from the general-purpose FluxCloud Marketplace at cloud.runonflux.com.
- Access FluxCloud
- Visit cloud.runonflux.com and sign in or create an account.
- Find Hermes Agent
- Navigate to the Marketplace β Applications tab, then locate the Hermes Agent (or Hermes Agent Pro) tile and click View Details.
- Select Server Configuration
- Choose the version that best fits your usage:
- Hermes Agent β 2 vCPU / 4 GB RAM / 20 GB disk, suited for getting started and lighter workloads.
- Hermes Agent Pro β 4 vCPU / 8 GB RAM / 80 GB disk, for heavier or professional usage.
- You can change the specs of your app at any time after deployment to match your needs.
- Click Install Now to continue.
- Choose Subscription
- Select your desired subscription duration.
- Agree to the Terms of Use and Privacy Policy, and click the blue Continue arrow at the bottom.
- Set Dashboard Credentials (Required)
- Choose a
DASHBOARD_USERNAMEand a strongDASHBOARD_PASSWORD. Together these protect the Hermes dashboard login. - The username field's placeholder is
admin, but you can pick any username you like. - Choose a long, unique password β anyone with these credentials and your app domain can drive the agent and read your AI-provider keys.
- Set an API Server Key (Required)
- Provide a strong value in the
API_SERVER_KEYfield. This is the bearer token for the OpenAI-compatible API server. - You will use this exact value as the API key in external clients such as Open WebUI or your own scripts.
- Treat it like a password β keep it secret and make it hard to guess.
- Provide a Tailscale Auth Key (Optional)
- You can optionally provide a Tailscale auth key (
TAILSCALE_AUTHKEY) so the agent can reach private services on your Tailscale network. - This step is not required β you can skip it and add it later from the app settings.
- See the Tailscale section below for details on generating a key.
- Deployment Location
- Configure whether you want your Hermes Agent instance to deploy in specific geographic regions:
- Global (Recommended): No geographic restrictions for best availability.
- Custom: Restrict by continent or country.
- Click the blue Continue arrow to proceed.
- Email Notifications
- Optionally enter your email address to receive notifications about your app, including:
- When your application finishes launching.
- When the primary server changes.
- When your app expiration date is approaching.
- Launching the Application
- Your application must be signed and registered on the Flux network.
- Click Sign and Register.
- Sign the message using the pop-up.
- If you logged in via Google or Email, this step is completed automatically.
- Complete Payment
- Choose your payment method:
- Fiat: Stripe or PayPal
- Crypto: FLUX coin (5% discount)
- Payment is monitored automatically. Once confirmed, your application will be deployed, and a blue Manage button will appearβdirecting you to your application's management panel.
β οΈ Important: FLUX Payments
FLUX payments are only accepted via the FLUX Mainnet, not through any of our EVM tokens.
We ALSO strongly recommend not sending FLUX payments from exchanges, as:
- Transactions or withdrawals may not complete within the required 30-minute window.
- Many exchanges do not support adding a MEMO, which is required for proper payment processing.
Access the Hermes Dashboardβ
The dashboard is the main web interface for driving the agent. It is protected by the password gate you set during deployment.
-
Visit cloud.runonflux.com and log in.
-
Go to Applications β Management and open your Hermes Agent app.
-
Click the primary app domain to launch the dashboard in your browser, for example:
https://appname.app.runonflux.io -
When prompted, sign in with the
DASHBOARD_USERNAMEandDASHBOARD_PASSWORDyou provided during deployment. -
Your browser stores the session, so you only need to log in again after clearing cookies or switching devices.
π‘ Forgot your credentials? You can update
DASHBOARD_USERNAMEandDASHBOARD_PASSWORDat any time from Applications β Management β Settings on your Hermes Agent app. The container restarts with the new credentials.
Configure Your AI Providerβ
Hermes Agent does not include an AI model β you bring your own provider key. It supports OpenRouter, OpenAI, Anthropic, Google Gemini, and many more.
β οΈ The model picker only lists providers that already have a working credential. If you open Models β Change ("Set Main Model") and the "Filter providers and modelsβ¦" box shows nothing, it means no provider key has been added yet β add one first.
Add a provider key (dashboard)β
- Open the Hermes dashboard and click Keys in the sidebar (not Models).
- Add an API key β or OAuth login / custom endpoint β for at least one provider, e.g. your
ANTHROPIC_API_KEY,OPENROUTER_API_KEY, orOPENAI_API_KEY. - Go to Models, click Change on the Main model row, and the now-authenticated provider appears in the left column. Pick a model on the right and click Switch.
Add a provider key (SSH)β
Alternatively, open the Secure Shell β Terminal from your app's management page and run the interactive wizard:
/opt/hermes/.venv/bin/hermes model
It walks you through provider authentication and sets your main model.
π‘ The
hermesCLI is not onPATHin the Secure Terminal β invoke it via the full binary path/opt/hermes/.venv/bin/hermes. If you prefer a shorter command for the session, runexport PATH=/opt/hermes/.venv/bin:$PATHfirst and then callhermesdirectly.
You can add multiple providers and switch the default model at any time. Without at least one provider credential, the model picker stays empty and the agent cannot complete tasks.
The OpenAI-Compatible API Serverβ
In addition to the dashboard, Hermes publishes an OpenAI-compatible API server on a second port. This lets you point external tools β such as Open WebUI or your own scripts β at the agent.
- In Applications β Management, find the second domain listed for your app β this is the API server URL (it is separate from the dashboard URL).
- In your client, set:
- Base URL / API endpoint: the API server domain, e.g.
https://appname_api.app.runonflux.io - API key: the exact
API_SERVER_KEYvalue you set during deployment.
- Base URL / API endpoint: the API server domain, e.g.
- The client sends requests with an
Authorization: Bearer <API_SERVER_KEY>header β most OpenAI-compatible clients do this automatically once you enter the key.
π‘ The API server has its own bearer-token auth and is not behind the dashboard password gate. The
DASHBOARD_PASSWORDandAPI_SERVER_KEYare two independent secrets β one for the web UI, one for the API.
Tailscale (Optional)β
Hermes Agent on Flux includes built-in Tailscale support, allowing the agent to reach private services on your own Tailscale network (your tailnet).
To enable Tailscale:
- Generate an auth key from your Tailscale admin console β use an ephemeral and reusable key for containers.
- Provide the key as
TAILSCALE_AUTHKEYduring deployment, or update it later in the app settings. - Once the container starts, it automatically joins your tailnet.
Advanced options (available in deployment settings):
TAILSCALE_HOSTNAMEβ customize the device name on your tailnet (default:hermes).TAILSCALE_EXTRA_ARGSβ additional flags fortailscale up(e.g.--advertise-tags=tag:server).
Tailscale runs in userspace networking mode because Flux containers do not have kernel-level TUN device access. This has important implications for how the agent connects to other machines on your tailnet β see below.
Connecting to Other Tailscale Machines (SSH, HTTP, etc.)β
Because Tailscale runs in userspace networking mode, it does not create a real network interface inside the container. This means:
tailscale pingandtailscale statuswork normally (they use the Tailscale control plane).- Direct TCP connections (SSH, curl, etc.) do NOT automatically route through Tailscale.
Instead, all outbound traffic to your tailnet must go through the SOCKS5 / HTTP proxy that Tailscale provides on localhost:1055.
curl / HTTP requests to a Tailscale machine:
curl --socks5-hostname localhost:1055 http://<tailscale-ip>:8080
SSH to a Tailscale machine:
ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy localhost:1055 %h %p' user@<tailscale-ip>
Or set the environment variable for all tools that respect it:
export ALL_PROXY=socks5://localhost:1055
What does NOT work without the proxy:
Any tool that tries to connect directly to a Tailscale IP will fail with "connection timed out" or "network is unreachable" β because the container's kernel has no Tailscale routes. Always route through localhost:1055.
Tailscale state is stored inside the app's persistent volume, so the device keeps its identity across restarts and redeploys β it will not create duplicate entries on your tailnet.
Managing Your Appβ
Most day-to-day usage happens in the Hermes dashboard itself. For managing the deployment, you have two panels:
Dedicated portal β hermes.runonflux.com
If you deployed via the dedicated portal (or once your instance shows up there), its management panel gives you:
- Overview β live server stats at a glance.
- Console β an in-browser terminal into the container.
- Files β a built-in file manager.
- Backup β back up your instance data.
- Billing β payment and renewal controls.
FluxCloud β cloud.runonflux.com
Your instance is a standard Flux app, so from Applications β Management on cloud.runonflux.com you can also:
- Update settings β change
DASHBOARD_USERNAME,DASHBOARD_PASSWORD,API_SERVER_KEY, or the Tailscale variables; the container restarts with the new values. - Change specs β scale between the Hermes Agent and Hermes Agent Pro resource tiers.
- Open a Secure Shell β use the Terminal to SSH into the container for advanced troubleshooting.
- Check instances β see which instance is currently the primary under the Instances tab.
Frequently Asked Questionsβ
What is the difference between Hermes Agent and Hermes Agent Pro?β
They run the same software. Hermes Agent is provisioned with 2 vCPU / 4 GB RAM / 20 GB disk, while Hermes Agent Pro has 4 vCPU / 8 GB RAM / 80 GB disk for heavier workloads. You can switch tiers after deployment from Applications β Management.
What is the dashboard username and password?β
Both are values you choose during deployment β DASHBOARD_USERNAME and DASHBOARD_PASSWORD. The username field suggests admin as a placeholder, but you can set any username.
I forgot my dashboard credentials β how do I reset them?β
Update DASHBOARD_USERNAME and/or DASHBOARD_PASSWORD from Applications β Management β Settings on your Hermes Agent app. The container restarts with the new credentials.
Why are there separate dashboard credentials and an API_SERVER_KEY?β
They protect two different entry points. DASHBOARD_USERNAME / DASHBOARD_PASSWORD gate the web dashboard (via the Caddy basic-auth proxy). API_SERVER_KEY is the bearer token for the OpenAI-compatible API server. They are independent β set all three, and keep the API key different from the dashboard password.
The "Set Main Model" picker is empty β no providers or models show up. Why?β
The model picker only lists providers that have a working credential. An empty filter means no AI provider key has been added yet. Open the Keys section in the dashboard sidebar and add an API key (e.g. ANTHROPIC_API_KEY or OPENROUTER_API_KEY), or run /opt/hermes/.venv/bin/hermes model from the Secure Terminal (the CLI is not on PATH). The provider then appears in the picker. See Configure Your AI Provider above.
How do I connect Open WebUI or another client to the API server?β
Point the client at the second domain shown for your app in the management panel and use your API_SERVER_KEY as the API key. The Hermes API is OpenAI-compatible, so any client that supports a custom OpenAI base URL will work.
Do I need a Tailscale auth key?β
No. Tailscale is optional β leave TAILSCALE_AUTHKEY empty to skip it. Only provide a key if you want the agent to reach private services on your own tailnet. You can add it later from the app settings.
I provided a Tailscale auth key but the agent cannot SSH to other tailnet machines β why?β
Flux containers run Tailscale in userspace networking mode, so direct TCP connections to Tailscale IPs will not work. Route traffic through the SOCKS5 proxy on localhost:1055 as shown in the Tailscale section above.
Can I change my app's hardware specifications after deployment?β
Yes. At any time β if you feel the hardware specifications no longer reflect your needs β you can adjust them from Applications β Management β Update App Specifications on the Components tab. Your data is preserved across the change, and you are billed according to the new specifications.
What happens if the primary server goes down?β
If your current primary server becomes unavailable, one of the standby instances automatically takes over as the new primary after a short delay. Your Hermes Agent data remains intact so you can continue where you left off once the switch is complete. You can check which instance is currently the primary from your application's management panel under the Instances tab.